Protecting Your Brand - GDPR, CCPA, and More

Allan Peretz
Post by Allan Peretz
April 1, 2021
Protecting Your Brand - GDPR, CCPA, and More

If you’re like most marketers, you probably aren’t excited by the intricacies of international law. Because of recent legislation both in the United States and abroad, though, a lack of awareness can lead to gigantic penalties, potentially in the millions or even tens of millions of dollars. To avoid these expensive fines and, potentially, even more expensive damage to your company’s reputation, you need to be aware of the risks.

This summarizes “The Scary Seven” regulations that could get you into trouble: The GDPR, The ADA, State Sales Taxes, The CCPA, The CPRA, Prop 65, and the CAN-SPAM Act.

Official Disclaimer: The information in this article does not, and is not intended to constitute legal or tax advice - it is for informational purposes only. If any of this raises concerns, please do seek further advice from your attorney or a tax professional (I am neither).

With that out of the way, let’s get on with our list!

The GDPR: The European Union brags that the General Data Protection Regulation is “the toughest privacy and security law in the world” and they might be right - in 2019, Google was fined a whopping 50 million Euros (almost $60 million as of this writing) for a breach. If you do business in the EU or do business with EU citizens, you likely fall under the GDPR’s jurisdiction and could also be subject to fines up to 20 million Euros or 4% of the preceding year’s worldwide annual revenue, whichever is greater.

Most of all, the GDPR is concerned with the procurement, handling, and disposal of “personal data” (any information that can directly or indirectly identify a person). This includes not only information like names and addresses but even social posts and photos. Article 5 of the GDPR summarizes the key requirements for the use of personal data by businesses including data minimization (asking for the least amount of data necessary), transparency, accuracy, and security of this information.

“Sensitive data” is a special class of “personal data” that can be used to determine things like racial and ethnic origin, religion, health, and financial status and gets even stronger protections. In general, this data should not be collected except in specifically authorized circumstances such as when used to enable a medical diagnosis. When collected, it should be protected very carefully using encryption, physical security, and other safeguards.

The implications of the GDPR on your digital marketing efforts can be extensive, impacting everything from website copy and forms to how and where your data is stored. You should conduct an in-depth compliance review with your IT department and with any other entity (internal or external) that processes user data for you so that you protect your consumers’ privacy and you protect yourself from costly fines.

The ADA: When you think of the Americans with Disabilities Act, you likely think about accessibility requirements for retailers, restaurants, and other businesses. These are important parts of the act but the ADA also impacts how your website or web store should be designed. It applies to your company if you have 15 or more full-time employees and you also operate 20 or more weeks per year.

The ADA’s standard is that your site should offer “reasonable accessibility” to people with disabilities. What this means isn’t explicitly stated by the ADA but it is spelled out by the World Wide Web Consortium’s detailed “Web Content Accessibility Guidelines” (WCAG), now in version 2.1. A WCAG quick reference is available online - here are some examples of included requirements:

  • Non-text elements (images primarily) should have a text equivalent
  • Captions should be available for pre-recorded audio and video content
  • Presentation of text or images of text should have sufficient contrast (ratio 4.5:1)
  • Web pages shouldn’t include anything that flashes more than 3 times in a one-second period
  • Color should not be the only visual means of conveying any important information

There are a number of tools available that will check your website for WCAG compliance - AudioEye and AccessiBe are two examples. These types of tools are likely your best bet to ensure that nothing gets missed.

State Sales Tax: This is a real can of worms for brands or, more precisely, 50 different cans of worms. The first challenge when it comes to state taxes is determining where you have “nexus.” This is just a fancy word for saying that you have a connection to the state - it generally occurs when you have facilities there or because you’re selling lots of product to that state’s consumers. When you have nexus in a state, generally you have to collect and pay sales tax to that state.

The problem is that each state defines nexus in their own way making it extremely difficult to stay compliant. In some cases, though, “marketplace facilitators” (Amazon is an example) will collect and pay state taxes on your behalf for products sold on their platforms. When you sell through these channels, you’re covered in most states for those sales.

The cost of sales tax compliance can be very high. If you’re a small or mid-sized business and you don’t have an army of CPAs on staff, you may find it overwhelming. Fortunately, there are some great solutions out there that can keep you in check without a whole lot of fuss. Check out TaxJar, for example, if you’re looking for a fully-automated solution.

The CCPA: The California Consumer Privacy Act was passed in 2018 and went into effect in 2020. It applies to your company if you meet any of the following criteria: you earn revenue above $25 million per year, you derive 50% or more of revenue from the sale of consumer information, or you buy / sell / receive the personal information of 50,000 or more consumers, households, or devices.

The California Office of the Attorney General has posted a great “fact sheet” on their site about what the CCPA requires, but at a high level it grants California consumers:

  • The right to know what personal information is collected, used, shared or sold
  • The right to delete personal information held by a business (or their service provider)
  • The right to opt-out of the sale of personal information
  • The right to non-discrimination in price or service when the consumer exercises a CCPA privacy right

In many ways, the requirements of the CCPA are similar to those of the GDPR. If you’re a mid-sized or larger company selling across the US and in the EU, you’ll need to comply with both laws.

The CPRA: Passed at the end of 2020, the CPRA (California Privacy Rights Act) is the younger and tougher cousin of the CCPA. It doesn’t go into effect until January 2023. CPRA puts “teeth” into the CCPA by establishing a new enforcement entity called the “California Privacy Protection Agency” (the CPPA in case you didn’t already have enough acronyms). Like GDPR, CPRA introduces a new class of “sensitive” personal data and creates new rights:

  • The right to have your information corrected if inaccurate
  • The right to opt-out of automated decision making - for example: “personalized” advertising messages
  • The right to know about automated decision making
  • The right to limit the use of sensitive information

The CPRA mandates that your website include links making it easier for users to opt-out of the use, sharing, or sale of their personal information. With the CPRA, though, some companies formerly targeted by CCPA will become exempt since the definition of covered companies is somewhat relaxed.

Prop 65: Here’s another state of California law that you’ll need to keep in mind. Prop 65, also known as the Safe Drinking Water and Toxic Enforcement Act of 1986, requires businesses with 10 or more employees to “provide warnings to Californians about significant exposures to chemicals that cause cancer, birth defects, or other reproductive harm.” California’s Office of Environmental Health Hazard maintains a list of these chemicals.

Although this law goes back to 1986, it has been updated to keep up with the times. If you’re an eCommerce marketer who sells consumer products that include listed chemicals, this means that you must not only include a “prop 65 warning” on the product itself but also in your item content. That’s true for content on your own website or on a marketplace like or eBay.

CAN SPAM Act: This one is an oldie but a goodie and relates specifically to email. CAN-SPAM stands for… wait for it... “Controlling the Assault of Non-Solicited Pornography And Marketing.” It’s somewhat controversial because it preempted some state laws that were actually tougher than CAN-SPAM.

The act had some impact on slowing the deluge of unwanted emails but anti-spam technologies have also played a big role. Unlike some of the other laws referenced here, compliance with this one is relatively straightforward. Here are some highlights: marketers must make opting out of email marketing straightforward (and honor those requests within 10 days), marketers can’t misrepresent the sender or subject of an email, and “adult” content must be appropriately marked. More information is available in a compliance guide hosted on the FTC’s website.

While this article is by no means a comprehensive list of risks that you may face when you’re selling your product online, my hope is that this gives you enough information to spot major landmines. Don’t let these laws scare you, though - the benefits of your eCommerce growth far outweigh the costs of compliance. Go make it happen but… do it safely!

Want to talk more about this article or about eCommerce in general? Reach out to me here - - or schedule a consult!

New call-to-action

Allan Peretz
Post by Allan Peretz
April 1, 2021
Allan's an accomplished eCommerce leader with experience on brands of all sizes including SK-II, The Art of Shaving, Samsung, and Pampers. He's responsible for maintaining the strategies and "playbook" that we use to grow your business.